Without a dynamic and interactive approach, contract management can be one of the trickiest parts of third-party risk management. Companies can face costly errors in third-party risk management without things like firm guidelines and centralized storage. Left unattended, contracts no one intends to renew are allowed simply by missing the notification timeline; service level items don’t get followed up on appropriately and costly lapses can occur.
There are ways to control the contract process and ensure alignment with the expectations initially intended for the relationship. The starting point is to gather all contacts into one place while also setting firm policy-based ground rules around contract management. Once assembled, getting them into a highly structured yet customizable platform solution is imperative.
Ideally, the tracking of critical items will be automated and structured so that due dates, such as termination notification dates and service level agreement deliverables, are not missed. Being able to report on those metrics becomes essential as well.
When it comes to the contract itself, certain key elements need always to be called out, including:
- A clear statement of work – Avoid any ambiguity on what the third party is obligated to do
- Rights and responsibilities – What is each party responsible for and where do the handoffs occur
- Due diligence – If items are missing or unable to be released until the post-contract signing, this is the time to call them out and contractually commit them (often, things like business continuity plans or evidence of penetration testing)
- Ongoing monitoring – What type of reporting or requirements around material events is anticipated, noting the frequency and delivery expectations
- Breach/material changes notification – If something happens at the third party, what timelines are expected and to whom the notice needs to go to
- Rights to audit – Whether it’s evidence of an external audit or rights to go on-site to audit the third party on behalf of the company, this needs to be spelled out
- Termination standards – With a critical third party, an accompanying exit strategy designed to minimize disruption to the business and the customer should be spelled out. There should be clear language around notification periods, reasons for termination, etc.
- Designated signing authority – Have a signing authority roster or clear guidelines as to who can sign on behalf of the company
- Privacy – Privacy standards and expectations need to be clearly articulated, mainly if they fall under the jurisdiction of GDPR or CCPA and other emerging privacy regulations. Failure to communicate these standards may allow a third party to miss its obligations
- Nondisclosure – If a nondisclosure agreement is not already in place, the contract may be too little too late, but still an excellent opportunity to delineate the expectations from an information-sharing or company-to-company interactions perspective
- Rights to post-termination use of data – Even post-contract, there are times when a company, perhaps a marketing company, for example, may continue to use the customers’ data for purposes not originally intended. Guidelines around the return of non-public information or restrictions around the use of such data should be articulated
Different services require different types of contracts, and they can vary heavily and may build upon the key elements mentioned above. With Fusion, clients are empowered to manage all of these items in a consistent, structured manner. Businesses can avoid unnecessary mistakes or lapses in contractual coverage by carefully managing contracts and minimizing disruptive issues.
A well-structured approach to contract management that allows for customization and flexibility can provide the resilience and assurance that a company needs to succeed in third-party risk management and beyond.